Google will cull out-of-date Play store apps in bid to improve Android security

Android phone being held aloft in front of a white background with the Android logo appearing on it
(Image credit: Getty Images)

Android has announced a new Play store security policy that will force developers to update older apps to avoid their software being removed.

With each version of Android, new and more stringent security policies are introduced to improve the security of the Android ecosystem. Following this approach, Android will now require all apps to target an API level that’s within two years of the most recent version.

An API level is essentially tied to a version of Android, meaning the most recent version of the operating system, Android 12, is the most up-to-date API level.

An existing policy states that any new app being added to the Play store, or an existing app that is being updated, needs to target an API level that’s within one year of the current version. The latest policy is an expansion of this, targeting older apps that have not been updated in some time.

This means that any older app will need to be updated to target an API level within two years of Android 12 in order to remain discoverable on the Google Play store, and to be able to be installed by users.

Timeline of the target API level window

(Image credit: Android)

The new requirements will take effect on 1 November 2022 and as new Android versions are released the requirement window will adjust accordingly, Android said.

“The rationale behind this is simple. Users with the latest devices or those who are fully caught up on Android updates expect to realise the full potential of all the privacy and security protections Android has to offer,” said Krish Vitaldevara, director of product management at Android, in a blog post.

“Expanding our target level API requirements will protect users from installing older apps that may not have these protections in place.”

The discovery of malware affecting Android devices is a relatively common occurrence in the cyber security industry, and the new security policy will aim to make this more of a rarity.

In the space of a week, numerous reports of new Android malware strains have hit various media outlets, including a Russian-linked Android malware called Process Manager. Discovered by Lab52, the malware is capable of sending and reading SMS messages, plus recording a device’s audio.

At the end of 2021, IT Pro reported that more than 300,000 Android users had downloaded a banking trojan from the Google Play store, with hackers managing to bypass the app store’s security detections.


Unified endpoint management solutions 2021-22

Analysing the UEM landscape


Without giving specifics, Android said the “vast majority” of apps in the Google Play store are already compliant with the rules soon to be introduced.

Developers who are concerned about implementing the upcoming changes can consult Google’s technical guide, which details the steps that need to be taken for a successful migration.

A six-month optional extension can also be requested if developers can demonstrate they need more time in order to complete the migration to the target API level. The application form for this will be available in the Developer Play Console later this year, Android said.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.